Detection rules › Elastic
Potential ADIDNS Poisoning via Wildcard Record Creation
Active Directory Integrated DNS (ADIDNS) is one of the core components of AD DS, leveraging AD's access control and replication to maintain domain consistency. It stores DNS zones as AD objects, a feature that, while robust, introduces some security issues, such as wildcard records, mainly because of the default permission (Any authenticated users) to create DNS-named records. Attackers can create wildcard records to redirect traffic that doesn't explicitly match records contained in the zone, becoming the Man-in-the-Middle and being able to abuse DNS similarly to LLMNR/NBNS spoofing.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Credential Access | T1557 Adversary-in-the-Middle |
| Collection | T1557 Adversary-in-the-Middle |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Security-Auditing | 5137 | A directory service object was created. |
Stages and Predicates
Stage 1: eql:any
winlog.event_data.ObjectDN:"DC=*,*"Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
winlog.event_data.ObjectDN | starts_with |
|